CVE-2024-30260

MEDIUM EPSS 49.8%
Published Apr 4, 20242y ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Medium
Find Similar
Published Apr 4, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.

CVSS Details

Base Score
4.3
Exploitability
0.9
Impact
3.4
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Low
Availability Low

Threat Intelligence

EPSS Exploit Probability
49.8% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 2

CWE-285
CWE-863 Incorrect Authorization Authorization

Affected Products 5

VendorProductVersionRange
nodejsundici* <5.28.4
nodejsundici*≥6.0.0  –  <6.11.1
fedoraprojectfedora38any
fedoraprojectfedora39any
fedoraprojectfedora40any

References 7

  • github.com https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
    Patch
  • github.com https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
    Patch
  • github.com https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
    PatchVendor Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33/
    Product
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ/
    Product
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E/
    Product
  • security.netapp.com https://security.netapp.com/advisory/ntap-20240905-0008/

Remediation

  • github.com https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
    Patch
  • github.com https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
    Patch
  • github.com https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
    PatchVendor Advisory